# Prometheus Web配置文件
# 此文件定义Prometheus Web界面的TLS和认证配置
# 参考：https://prometheus.io/docs/prometheus/latest/configuration/https/

{% if prometheus_tls_enabled %}
# === TLS配置 ===
tls_server_config:
  # 证书文件路径
  cert_file: "{{ prometheus_tls_cert_file }}"
  
  # 私钥文件路径
  key_file: "{{ prometheus_tls_key_file }}"
  
{% if prometheus_tls_ca_file %}
  # CA证书文件路径（用于客户端证书验证）
  client_ca_file: "{{ prometheus_tls_ca_file }}"
  
  # 客户端认证策略
  client_auth_type: "RequireAndVerifyClientCert"
{% endif %}
  
  # 支持的TLS版本
  min_version: "TLS12"
  max_version: "TLS13"
  
  # 支持的加密套件
  cipher_suites:
    - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
    - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
    - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
    - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
  
  # 首选服务器加密套件
  prefer_server_cipher_suites: true
  
  # 椭圆曲线首选项
  curve_preferences:
    - "CurveP256"
    - "CurveP384"
    - "CurveP521"
    - "X25519"
{% endif %}

{% if prometheus_basic_auth_enabled %}
# === 基本认证配置 ===
basic_auth_users:
{% for username, password_hash in prometheus_basic_auth_users.items() %}
  # 用户: {{ username }}
  {{ username }}: "{{ password_hash }}"
{% endfor %}
{% endif %}

{% if prometheus_tls_enabled or prometheus_basic_auth_enabled %}
# === HTTP配置 ===
http_server_config:
  # HTTP/2支持
  http2: true
  
  # 请求头大小限制
  header_limit: 1048576  # 1MB
  
  # 请求体大小限制
  body_limit: 10485760   # 10MB
{% endif %}